[wp-hackers] Rethinking check_admin_referer()

Geoff Johnson thunderlove at gmail.com
Thu Apr 20 07:40:57 GMT 2006


On 4/19/06, Robert Deaton <false.hopes at gmail.com> wrote:
> > When a request is made of an admin, along with (instead of, before) the
> > refer check, simply compare the cookie to the key embedded in the link.
>
> I open a new tab, browse some other page in my admin which overwrites
> said cookie, come back and try to submit that form (maybe I want to
> double check something on one of the manage pages before making my
> choice). The cookie has been overwritten and now no longer matches,
> and your system has caused an inconvinience for no [good] reason.

And I mentioned that ;)   Either you would need to hit refresh prior
to saving it (replace the 'enable referers' message with 'Go back and
hit refresh first'), or have a AYS.   Preferably an AYS.

Perhaps we merely have a difference of opinion -- for me, the
occassional AYS is hardly a show-stopper!

>> The database strategy seems overkill to me....
> This is why we'd like computational hashes that automatically expire
> within a certain time period.

Yes, and?   A random cookie is nothing but a computational hash that
expires with the next page view...

Of course, non-random hashes have their own problems (admittedly
minor, but so are the problems with a random key):

For starters, with a non-random hash, a constant string unique to each
site or element would be needed.  This should probably be stored in
the db (a constant in wp-config would also be possible, but then there
would be the convincing/explaining to people that 'no, you should not
use your site's name...')

Another, there would need to be overlapping hashes.  If a given key is
valid for a week, for example, there would need to be one for each day
(or whatever).  Otherwise, if Sunday is the first day of the week, a
hash generated late Saterday evening would soon expire.

Not that these are big problems.   But if the only objection to random
cookies is 'if I open a tab, I am inconvenienced by a AYS....'  
[which, by the way, would only be necessary if you've disabled
referers...]

> > Another advantage of the random cookie idea:  automation with curl et al,
> > would be easy.
>
> What?

Not sure if that is a 'what is curl?' or 'what automation?'   cURL is
an http library.   Using it (or a similar library) as an
supplement/alternative to the XML-RPC api.


More information about the wp-hackers mailing list